Stolen Laptop Costs Heart Monitor Company $2.5 Million

CardioNet calls itself the “leading supplier of Mobile Cardiac Outpatient Telemetry.” In other words, they sell wireless devices that help monitor heart conditions in patients. Now CardioNet is leading the way in multi-million dollar settlements with OCR for violating HIPAA privacy and security rules. On April 24, 2017 OCR announced the $2.5 million settlement.

In January of 2012, an employee of CardioNet left an unencrypted laptop in a vehicle while it was parked at the employee’s home. That’s bad enough, but it got worse when the laptop was stolen and the employee realized it contained the ePHI of 1,391 patients.

As far as OCR is concerned, CardioNet made three fatal mistakes. First, CardioNet did not conduct a risk analysis to identify the threats to the privacy and security of PHI that the company maintained. Second, they did not create and implement policies and procedures that determined how the company would act to minimize those threats. CardioNet’s policies and procedures had been partially drafted but never completed. Third, CardioNet did not implement safeguards to prevent unlawful disclosure of PHI, particularly safeguards for mobile devices.

Humans are fallible and mistakes happen; but, that doesn’t mean we can shrug and give up. CardioNet’s fine might have been substantially lower if they could have demonstrated that they had made a greater effort to comply. Mistakes, combined with intentional disregard of the rules, are the ingredients of multi-million dollar fines.

The large fine and, more importantly, the unlawful disclosure could have been avoided if CarioNet had taken all the steps to comply. Here are minimal requirements:

Conduct a risk analysis. Healthcare practitioners and businesses maintaining PHI are required to review security every year. This is not a recommendation.

Draft complete policies and procedures. Demonstratae that you actually thought about potential risks to PHI and have made it your policy to avoid those risks.

Safeguard ePHI. CardioNet’s stolen laptop was unencrypted. A breach only occurs when the lost ePHI is “unsecured.” Unsecured ePHI is patient information “that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons.” Encrypting a laptop that contains ePHI renders those files unusable, unreadable, or indecipherable. If CardioNet had encrypted the stolen laptop, a breach would not have technically occurred and no breach report would have been necessary. Depending on the operating system, encrypting a laptop is as simple as clicking a few buttons.

The Resolution Agreement and Corrective Action Plan can be found here.

Joseph Lombardi is an attorney admitted to practice in the state of Washington. He attended the University of Washington undergraduate and also obtained his law degree from UW. He is a partner in the John S. Conniff law firm and a vice president of Compliant Solutions. He practices law concentrating on health and business matters.